You can outsource the work, but not the responsibility.
Many organizations are under the impression that if they outsource their credit card transactions, then they are not responsible for their PCI compliance. While this may minimize the scope of the PCI environment, it does not alleviate the responsibility for their PCI compliance.
Outsourcing credit card transactions may be a good business decision assuming that the organization has done their homework in choosing a vendor that can demonstrate their PCI compliance and security prowess. It excludes the organization’s internal network from the PCI requirements such as data encryption and vulnerability scanning. There will usually still be areas within the organization that fall within scope, such as the point of card scanning. For example, the policies for handling the cards at swipe time will still need to be in place. In addition, the merchant may need to prove that the vendor has the appropriate policies and controls during their audit or when completing their Self-Assessment Questionnaires.
Let’s look at a hypothetical scenario: A merchant has outsourced their credit card transactions. Now the vendor where they outsourced is compromised and credit card numbers have been lost. Who will the bank and card companies look to when imposing fines? Who will the card companies look to when recouping the cost of replacing the cards to their customers? Who will be the defendant in the lawsuits the card holders bring? Who will lose the confidence of those customers and potential future customers?
Companies need to do their due diligence to ensure their business partners and outsourced companies are meeting compliance and regulatory requirements. They need to stay abreast of the regulations and take the time to understand the specifics of where they are and are not responsible. Their management and legal team need to stay involved ensuring their business and technical partners have their best interest in mind.
A third-party vendor assessment is one way to be assured that their partners are meeting their requirements. Also, companies need to conduct a periodic formal gap assessment to make sure all regulatory requirements are being addressed and updated on a regular basis.
All content provided on this blog is for informational purposes only. Netfotech Solutions provides no endorsement and makes no representations as to accuracy, reliability, completeness, suitability or validity of any information or content on, distributed through or linked, downloaded, or accessed from this site.
Netfotech Solutions will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use of the information on this site. All information is provided on an as-is basis without any obligation to make improvements or to correct errors or omissions. This site may contain links to other web sites. Netfotech Solutions makes no guarantees or promises regarding these web sites and does not necessarily endorse or approve of their content. You may not modify any part of the blog. Inclusion of any part of this blog in another work, whether in printed or electronic or other form, or inclusion of any part of the blog in another web site by linking, framing or otherwise without the express permission of Netfotech Solutions is prohibited. This site may not be used for any illegal or illicit purpose and Netfotech Solutions reserves the right, at its sole discretion and without notice of any kind, to remove anything posted to this site. By using this site, you hereby acknowledge that any reliance upon any materials shall be at your sole risk